Consumer Privacy Protection using Flexible Thermal Loads

by   Jun-Xing Chin, et al.
University of Colorado Boulder

Due to the increasing adoption of smart meters, there are growing concerns about consumer privacy risks stemming from the high resolution metering data. To counter these risks, there have been various works in shaping the grid-visible energy consumption profile using controllable loads. However, most works have focused on using energy storage systems (ESSs). In this paper, we explore the use of flexible thermal loads (FTLs) for consumer privacy protection. The theoretical limitations of using FTLs are compared to systems using ESSs. It is shown that due to the limitations in the operation of FTLs, without significant over-sizing of systems, and sacrifices in consumer comfort, FTLs of much higher equivalent energy storage capacity are required to afford the same level of protection as ESSs. Nonetheless, given their increasing ubiquity, controllable FTLs should be considered for use in consumer privacy protection.



There are no comments yet.


page 1

page 2

page 3

page 4


Load Shaping Based Privacy Protection in Smart Grids: An Overview

Fine-grained energy usage data collected by Smart Meters (SM) is one of ...

Privacy-Aware Smart Metering: Progress and Challenges

The next-generation energy network, the so-called smart grid (SG), promi...

DER Forecast using Privacy Preserving Federated Learning

With increasing penetration of Distributed Energy Resources (DERs) in gr...

A Step towards Advanced Metering for the Smart Grid: A Survey of Energy Monitors

The smart grid initiative has encouraged utility companies worldwide to ...

Optimizing Smart Grid Aggregators and Measuring Degree of Privacy in a Distributed Trust Based Anonymous Aggregation System

A smart grid is an advanced method for supplying electricity to the cons...

EnergyScout: A Consumer Oriented Dashboard for Smart Meter Data Analytics

The increasing popularity of smart meters provides energy consumers in h...

Towards Software-Defined Data Protection: GDPR Compliance at the Storage Layer is Within Reach

Enforcing data protection and privacy rules within large data processing...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Spurred by grid modernisation efforts, the adoption rate of advanced metering infrastructure (AMI) using smart meters (SMs) has risen steadily across the globe in recent years. On one hand, this enables the development of efficient data-driven grid operation and management methods [1]. On the other hand, the high-frequency measurement data provided by AMI can be used to derive the private information of consumers, such as their lifestyle habits, occupation, and religious inclinations [2, 3, 1]. This has led to concerns about privacy risks, and works in quantifying and mitigating these risks, such as [4, 5, 6, 7, 8]. Two main families of privacy protection schemes for consumers with SMs exist, namely smart meter data manipulation (SMDM) schemes, and user demand shaping (UDS) schemes [9].

SMDM schemes modify the SM data before it is transmitted, and include consumer aggregation [10, 11], consumer anonymisation [12, 13], and differential privacy based addition of noise [14]. However, these methods require trusted third parties, either in the processing of the data, or in the supply and installation of SMs with privacy-preserving firmware. UDS methods, on the other hand, physically alter the physical energy consumption profile of the consumers recorded by SMs (grid load), such that it no longer reveals the private information contained in the underlying privacy sensitive consumer load (sensitive load). This is achieved by actively controlling loads to shape the grid load profile, ideally decoupling it from the sensitive load profile. UDS methods can typically be implemented behind-the-meter, which avoids the need for a trusted third-party.

UDS methods can be split into those using energy storage systems (ESSs), and those controlling flexible consumer loads. Fig. 1 illustrates a possible system setup for UDS methods, which is governed by the following equation:


There are numerous recent works using ESSs, e.g., load levelling [5], limiting the load profile to distinct steps [6], and directly minimising an approximate of mutual information (MI) [8]. However, UDS methods utilising flexible consumer loads are scarce in the literature. One such UDS scheme, proposed in [15], utilises the flexible consumer loads to hide occupancy by using artificial signature injection and partial load flattening. The authors then verify their scheme by testing the resultant load profiles on a few occupancy detection algorithms. While in [16], optimised electric vehicle charging and electric furnace are used to obscure recoverable information from non-intrusive load monitoring (NILM) techniques. Notwithstanding, the use of flexible consumer loads for general privacy protection irrespective of the adversarial model is not well studied.

Fig. 1: Possible UDS system setup

With the development of grid communications infrastructure and the proliferation of smart appliances, there are also considerable advances in home energy management systems (HEMSs) that enable the coordination and scheduling of home appliances. HEMSs allow for the optimisation of residential electricity consumption patterns in order to improve efficiency, economics, and the reliability of residential buildings with regards to their role in the grid and occupant comfort[17]. Given increasing interest in HEMSs and the ubiquity of flexible consumer loads, this paper explores the use of HEMSs to control flexible consumer loads in order to mask the private information contained in the grid load about the sensitive load.

The rest of this paper is structured as follows: Section II provides a brief overview of privacy for consumers with smart meters and the use of flexible consumer loads for privacy protection; Section III provides an analytical comparison between consumer privacy protection using ESSs and FTLs; Section IV details the controller design of a HEMS for comparison of realistic systems; Section V presents numerical results; and Section VI concludes the paper.

Ii Consumer Privacy Protection
using Flexible Consumer Loads

One measure of consumer privacy is the mutual information (MI) between the sensitive load and the grid load [4, 7], which measures the amount of information reveals about and vice versa. The MI between and

, which are random processes, can be given as the average MI between the random variables

and that make up the processes [7, 18], i.e.,


where is the MI between the random variables and , and is the number of random variable pairs. This concept of average MI will be used in Section III for the analysis of consumer privacy protection.

Given two random variables and

, the MI between them is given by a function of their joint probability distribution function (PDF)

, and marginal distributions, , and

. These PDFs are typically unknown, and must be estimated. Assuming that multiple samples of

and are available, the PDFs can be estimated using the histogram method. Hence, only for the purpose of estimating these PDFs, assume that the protected and grid loads have finite support, i.e, , and . Then, the MI between and can be given as


where denotes the probability of , and is the base-2 logarithm. As and are continuous in reality, the estimates become more accurate with an increase in and ; but this also requires more samples to prevent over-fitting.

In order to minimise leakage of privacy-sensitive information, it follows that one needs to minimise the MI between the sensitive and grid loads. This can be done either using UDS or SMDM methods as described in Section I, using either ESSs or flexible consumer loads.

The term flexible consumer loads include thermal loads such as hot water heaters and space conditioning, schedulable loads such as clothes and dish washers, and interruptible loads such as the charging of electric vehicles. Flexible consumer loads can be classified into the following categories:

  1. [label=)]

  2. The flexible loads are not privacy-sensitive, i.e., their usage does not reveal privacy sensitive information about the consumer, nor are their presence in a household considered sensitive private information.

  3. The flexible loads are privacy-sensitive with regards to their time-of-use, but not their presence in the household.

  4. The flexible loads are privacy-sensitive, i.e., both their time-of-use and presence in a household reveal sensitive private information.

There are no privacy issues arising from their usage if the flexible loads are of the first category. For loads of the second category, using them to mask the sensitive load inherently also masks the private information they reveal: their time-of-use is shifted and thus, the private information revealed by their original time-of-use is masked. However, if the flexible loads are of the third category, then the privacy-protection problem also needs to consider whether the resulting grid load is able to mask the electrical signature of the flexible loads, i.e., whether the sensitive load is able to sufficiently distort the signatures of the flexible loads.

In this paper, we consider the use of flexible consumer loads within the first two categories in UDS privacy-protection schemes. Moreover, we limit our analysis to flexible thermal loads (FTLs) due to their ability to “store” thermal energy, and are more likely to be interruptible compared to other flexible consumer loads such as washing machines that have minimum cycle times. Inductive FTLs such as heat pumps have complex on/off cycles and electrical signatures, making the analysis of their effectiveness in privacy protection complicated. Hence, in order to draw meaningful conclusions, we will focus on resistance-based FTLs, such as electric-resistance water heaters, and electric-resistance space heaters. In the next section, we will compare the theoretical performance of ESS-based UDS schemes against those using FTLs.

Iii Comparing Privacy Protection using Energy Storage Systems and Flexible Thermal Loads

Setting aside the distinctive constraints of both ESSs and FTLs, the privacy protection afforded by them for UDS differs in one key aspect: ESSs are able to both charge and discharge, i.e., increase or decrease grid load; while traditional residential FTLs are only able to “charge”; i.e., they can draw power from the grid, but typically cannot provide power back to the grid.

Let be the entropy function, with being the probability of the variable and being minimal when the outcome is certain, and maximal when the underlying distribution is uniform. Additionally, assume that the following is true:

  1. [label=()]

  2. No energy wastage is permitted.

  3. The power ratings of the ESS and FTL are sufficiently large to compensate for the difference between the maximum and minimum consumer load, i.e., .

  4. The controller has perfect knowledge of the efficiency curves of the ESS and FTL.

  5. The controller has perfect knowledge of the consumer load and its average .

  6. The ESS has infinite energy storage capacity.

  7. Either the FTL has infinite thermal storage capacity, or it holds for the average electrical equivalent of the consumer thermal demand that .

  8. The FTL demand is continuous, i.e., it is not a step-load.

  9. Both ESS and FTL have an initial state-of-charge of .

Using MI as measure of privacy, the differences in achievable privacy protection by both technologies are discussed in the remainder of this section.

Iii-a The Loads are Independent and Identically Distributed

Let the random variable pair , and its marginals and be independent and identically distributed (i.i.d.), then by definition, MI, can also be written as a function of their Shannon entropies,

Proposition 1.

is minimal when is minimal, i.e., when is minimal.


The distribution of the consumer load is uncontrollable, non-uniform, and the number of outcomes with non-zero probability is non-singular, i.e., . Hence, is greater than zero. Since is non-uniform, as is non-uniform, is limited by the given . Therefore, is minimal when is minimal, i.e., when is minimal, where , instead of when is maximal. ∎

For the rest of the paper, we denote the realisations of the random variables with lowercase letters, as the average value of , as the minimum value that can take, and as its maximum value.

It would be trivial to see that perfect privacy, can be achieved by maintaining a constant grid load, , where . Let the grid load achieved using the ESS be denoted by and that of FTL by , then there exists and such that . While can be any arbitrary value , there is less flexibility for , with . Nonetheless, the theoretical maximum privacy can be achieved by both technologies.

In reality, storage capacity is finite, and for most consumers, it would be unreasonable to assume that the system is undersized, i.e, , where is the electrical equivalent of the average power consumption required in order to maintain consumer comfort. Therefore, assumptions 5 and 6 are made more stringent such that the storage capacity is finite, but sufficiently large to average out consumer load (or thermal demand) over a finite period of time. Additionally, average thermal demand is now assumed to be large, but less than the FTL power rating and that . For ESSs, the controller would now need to select a constant grid load such that , where is the round trip loss of the ESS. This allows a constant that does not empty or fully charge the ESS. As it would be possible to sustain indefinitely, . For FTLs, it follows that . Assume that is still minimised by actuating whenever possible. In this case, we now also have . Let be the total number of samples, and the number of instances where , then


where (5b) follows from the fact that and . Thus, as , i.e., privacy loss using FTLs for UDS schemes is, under the given assumptions on equivalent storage size, greater than those using ESSs given these assumptions.

Iii-B The Loads are First-Order Markov Processes

The random variables , , and are not i.i.d. in reality, and could be better modelled using first-order Markov processes, of which the MI, [7] is given by


Expressing (6) in terms of entropy,

Note that if the random variables , , and are higher-order Markov processes, then (6) forms the upper bound on the actual MI [7]. As ,

It is trivial to see that Proposition 1 still holds, and that is minimal when the entropy of is minimal. Moreover, when assumptions (a) to (g) hold, then both and are minimal and equal to zero. Now, assume that the Markov processes , , and are also stationary, i.e., , , , , and that assumptions 5 and 6 are made more stringent as in the i.i.d. case. Then, , while

where the function gives the number of instances where or , the number of instances where , the number of instances where , and [7]. As , , and (because and are not perfectly correlated), therefore, .

Iii-C Privacy Protection for Actual Systems

For actual systems, the load distributions vary according to the consumer household’s state, and their characterisation is the subject of much research. Despite this, consumer privacy is protected if one can achieve a “flat” grid load that has zero entropy, i.e., zero MI between the sensitive and grid loads. While assumptions 4 and 7 do not hold in reality, it would be possible to implement systems with sufficient storage capacity to average out consumer load (thermal demand). For ESS-based schemes, one would be able to select close to , given a sufficiently large sample size, as the accuracy of the consumer load sample mean as . In addition to , the achievable privacy protection of FTL-based UDS schemes is also dependent on and the ratio of to , which are usually fixed and directly affects the number of instances when . Note that a larger to ratio would require a larger to achieve the same level of privacy protection and vice versa. It would be difficult to compare the performance of actual ESS and FTL-based UDS privacy protection schemes, especially since there is a lot of uncertainty in the system parameters for FTLs. Even so, given the analysis above, the additional dependencies of FTL-based schemes (stochastic thermal demand and dependencies on the ambient environment), and the fact that most FTLs are step-loads, properly designed ESS-based schemes should outperform their FTL-based counterparts.

Iv Formulation of the Optimisation Problem for Numerical Experiments

We compare the performance of privacy protection using ESSs and FTLs in realistic systems by simulating a multi-objective model-predictive control based HEMS controller. For FTLs, we analyse the use of electric hot water heaters (EWHs) and electric resistance space heaters (ERHs), as they better match the analysis in Section III compared to other FTL types. In this section, the modelling of the ESS and FTLs, the formulation of the privacy objective, and the overall optimisation problems used in the HEMS controllers are presented.

Iv-a Privacy Objective

To verify the analysis in Section III, we adopt a privacy objective function that directly minimises an approximation of (3). This MI approximate, as proposed in [8], assumes that and are i.i.d., and is given by:


at time , where is the prediction horizon, , , and are constants used in the estimation of the PDFs , and , is the total number of observations used in the estimate, and

are binary variables used to estimate the PDFs. See

[8] for details on its derivation. Here, we relax binary variables , i.e., let , in order to make (7) a convex function, and overcome the scalability issues identified in [8]. This relaxation affects the performance of the controller in terms of minimising MI, but this is outside the scope of this paper. The following constraints are required in the optimisation of (7):


where is the index corresponding to the given value of , , , and constraint (10) links the grid load to the MI approximate.

Iv-B Modelling of an ESS

Two variables and are used to model the instantaneous charging and discharging powers of the ESS, respectively, in order to capture the different efficiencies during charge and discharge. Additionally, a binary variable is introduced to prevent the simultaneous charging and discharging of the ESS. Let be the energy remaining in the ESS at time , the following constraints are used to model the ESS in the optimisation problem:


where and are the charging and discharging efficiencies of the ESS, respectively, and is the interval of .

Iv-C Modelling of an Electric Hot Water Heater

The thermodynamics in a hot water tank can be modelled by splitting the tank into several sections (nodes). A two-node EWH model proposed in [19] is adopted in order to better capture the thermodynamics of a real device. As the original model was developed for an electric heat pump, we modify it by replacing the coefficient of performance (COP) with one. Also, we assume a temperature dead-band of C around the temperature set-point. This water heater model is given by the following constraints in the optimisation problem:


where superscripts and represent the values for the lower and upper nodes of the tank, respectively. is the water temperature of the node, is the indoor air temperature, is the hot water draw, and is the duty cycle of the EWH tank node at time . Also, is the thermal capacitance of the tank node, is the heat loss coefficient of the node, is the heat capacity of water, is the mains water temperature, is the rated power of the EWH, is the minimum water temperature required for safety (to mitigate Legionella bacterium growth in pipework), and is the maximum permissible water temperature of the EWH. Furthermore, to take into account consumer comfort, variables with constraints:


are introduced to penalise deviations from consumer set-points for the EWH water .

Iv-D Modelling an Electric Resistance Space Heater

To model the dynamics of the space heating system, a data-driven model proposed in [20] is adopted. Similarly, we replace the coefficient of performance (COP) with one, to match the ERH. The model coefficients are derived by using statistical learning on data recorded from actual heating systems. The following constraint captures the dynamics of the system


where , and are parameters learned from data, and are the indoor and outdoor temperatures at time , respectively, is the ERH duty cycle, is the solar irradiance at time ,and is the rated power of the ERH. Similar to the EWH, the proxy comfort variables are used to penalise deviations from consumer set-points. However, as deviations in indoor temperature affect consumer comfort to a higher degree than hot water temperatures, deviations (per C) are penalised with a larger coefficient:


where is the consumer indoor temperature set-point.

Iv-E Optimisation Problem for ESS-based HEMS Controller

For the ESS-based HEMS controller, the following objective function is used:


where is the cost of energy, is the price-of-privacy-loss, and the set enforces constraints (1), and (8) to (15).

The inclusion of the energy costs penalises the charging of the ESS during high-price periods, and when coupled with lower prices-of-privacy-loss, discourages multiple charge-discharge cycles within a day. This allows a better comparison with FTL-based systems, which cannot “discharge”, and hence have equivalent energy storage capacities limited by the average daily thermal demand and system losses.

Iv-F Optimisation Problems for FTL-based HEMS Controller

In addition to the energy costs, the optimisation objective for FTLs should also minimise consumer comfort violations. We minimise , which imposes larger penalties for larger comfort violations. Thus, the optimisation problem for an EWH based HEMS controller is given by


where is the consumer comfort coefficient, and the set enforces the constraints (1), (8) to (10), and (16) to (23). For a system with both an EWH and an ERH, set in (28) is replaced with the set , which now also includes constraints (24) to (26).

V Numerical Experiments

House 23618 from the Residential Building Stock Assessment database [21] was used for the numerical simulations. This house is based in Emmett, Idaho, USA, which has a semi-arid climate with cold winters and multiple heating-days. Weather data with 5-minute resolution from Boulder, Colorado, USA, which has a similar climate was used in the simulations. The HEMS controllers from Section IV were simulated for 180 heating-days with hourly resolution in MATLAB 2018a and the Gurobi 8.1.0 optimisation solver.

For simplicity, we assume that the incoming water supply temperature is constant, and that and , which can be time-dependent, are also constant. Moreover, for ease of comparison, we assume that the controller has perfect knowledge of the sensitive load across the prediction horizon, and that the models used in the controller accurately represent the actual systems. The equivalent energy storage capacity of an FTL is hard to estimate, depends on many stochastic parameters such as weather conditions and consumer behaviour, and remains and ongoing field of research. For the simulations, we assumed that this capacity is given by the average daily thermal demand of the household over the simulation period, considering the simulation setup and assumptions. The general simulation parameters are given in Table I, while Table II gives the system specific parameters. For the FTL-based controllers, .

Prediction horizon, :
Number of Bins, :
Number of Bins, :
Energy Price (peak): cents/kWh
Energy Price (off-peak): cents/kWh
Minimum grid load, : kW
Maximum grid load, : kW
TABLE I: General Simulation Parameters
Equivalent storage cap.: kWh kWh kWh
Power rating: kW kW kW
Absolute min. temp.: - C -
Absolute max. temp.: - C -
Consumer set-point: - C C
Mains water temp.: - C -
Water heat cap., : - kJ/K -
: - kJ/K -
: - kJ/K -
Therm. coeff., : - e-4 kW/K -
Therm. coeff., : - e-4 kW/K -
: - - e-2
: - - e-1
: - - e-1
TABLE II: System Parameters

The majority of EWHs and ERHs that are currently installed are step loads. Hence, to better match realistic systems, the continuous duty-cycles from the hourly HEMS controllers were also converted into 5-minute on-off cycles by a secondary controller. This controller attempts to match the HEMS’ duty cycle, whilst also enforcing the FTL constraints in Section IV at 5-minute resolution. To further explore the privacy-protection of both ESS and FTL-based systems, HEMS controllers that do not consider energy costs were also simulated.

Fig. 2 shows the load profiles from an ESS-based system and an EWH based system with discretised control actions (5-minute simulation interval), with , and considering energy costs. As illustrated, the reduced flexibility of the EWH based system limits its ability to mask the sensitive load, resulting in more instances where the sensitive load is revealed, e.g., around time steps to . The ESS is also shown to have a single charge-discharge cycle within 24 hours. Here, is maximised instead as it was impossible to achieve minimal . Quantitatively, the privacy leakage of the various systems were assessed by first treating the loads as i.i.d. (IID MI) processes, and then as stationary first-order Markov processes (Markov MI); using the MI estimation methods described in [18]. It is important to note that the MI estimation methods assume that the FTLs are not privacy-sensitive, i.e., the privacy leakage from the FTL use is not considered. This is particularly important when interpreting the results when and energy cost is not considered in the objective function. Table III summarises the MI estimates from the various systems.

Both the ESS and EWH systems reached their privacy protection limit without sacrificing the other objectives with . As seen, the ESS system has less than half the privacy leakage compared to the EWH system with . Without considering energy costs, it can be seen that the ESS achieves much lower MI values, while there is only marginal improvement for the EWH due to comfort considerations. With a maximum water draw of l within an hour from the l hot water tank, there is insufficient flexibility when using the EWH to protect privacy with a C dead-band. The marginal increase in MI for the ESS without energy costs is due to the binary variables (multiple solution candidates). Moreover, at hourly simulation intervals, the EWH model is inaccurate, as can be seen from the step load versus non-step load EWH simulations. The actual operation of the EWH differs from the solution of the hourly control actions, as the system dynamics require the secondary controller to make minor adjustments in order to prevent constraint violations (e.g. more accurate water mixing and loss modelling). Hence, in reality one should use models that better represent the continuous dynamics of the thermal system, but that is beyond the scope of this paper. The minor adjustments by the secondary controller eventually led to minor reduction in MI in most cases, but that is coincidental.

Even when combining the EWH with an ERH, the privacy protection afforded still falls below that of the ESS with a fraction of storage capacity for . More importantly, the use of the ERH for privacy entails a significant Markov MI increase, due to the time-correlated dynamics of the system. The limitation of the ERH in providing more privacy protection again lies in the fact that the temperature dead-band is C, limiting flexibility, even when energy costs are ignored. This dead-band prevents over-heating the space or letting it cool below comfortable levels. Note that there is a very low IID MI when for the combined EWH and ERH system. This is due to the fact that coincidentally, the period when there is high space heating demand is also the period with high private information leakage (occupied and low-load night periods); and that the ERH usage is assumed to not reveal private information.

While there is substantial MI reduction for all systems even with (the entropy / MI for the sensitive load is bits), if the EWH and ERH usage is privacy-sensitive, then at , the EWH and ERH profiles are unprotected and fully reveal the information contained by their usage.

Fig. 2: Sensitive load, and grid loads with
IID MI Markov MI IID MI Markov MI IID MI Markov MI
ESS with energy costs 0.565 0.709 0.286 0.678 0.287 0.653
ESS without energy costs - - 0.149 0.672 0.154 0.671
Step load EWH with energy costs 0.656 0.859 0.655 0.837 0.647 0.823
Step load EWH without energy costs 0.658 0.831 0.633 0.817 0.633 0.817
Non-step load EWH with energy costs 0.791 0.941 0.693 0.870 0.679 0.864
Non-step load EWH without energy costs 0.813 0.915 0.628 0.821 0.628 0.824
Step load EWH and ERH with energy costs 0.367 1.062 0.362 1.066 0.362 1.080
Step load EWH and ERH without energy costs 0.136 0.788 0.326 1.214 0.326 1.208
TABLE III: Privacy Loss of the Simulated Systems with a 24-hour Prediction Horizon

Vi Conclusions and Future Outlook

In this paper, we studied the use of resistive FTLs for consumer privacy protection using UDS methods. Theoretical analysis shows that due to the fact that FTLs cannot compensate sensitive load by “discharging”, the level of protection afforded by them is below that of ESSs. Moreover, as seen from numerical experiments, the inflexibility of these systems due to the time-specific nature of thermal demand limits their performance; unless one allows for large temperature fluctuations or use largely over-sized systems. Nonetheless, controllable FTLs are able to afford some level of privacy protection, and should be utilised for privacy protection given their increasing ubiquity in households. Future work will consider the use of inductive loads and loads with interruptible, but fixed cycle lengths.


  • [1] E. McKenna, I. Richardson, and M. Thomson, “Smart meter data: Balancing consumer privacy concerns with legitimate applications,” Energy Policy, vol. 41, pp. 807–814, Feb. 2012.
  • [2] P. McDaniel and S. McLaughlin, “Security and privacy challenges in the smart grid,” IEEE Security and Privacy, vol. 7, no. 3, 2009.
  • [3] A. Molina-Markham, P. Shenoy, K. Fu, E. Cecchet, and D. Irwin, “Private memoirs of a smart meter,” in Proceedings of the 2nd ACM Workshop on Embedded Sensing Systems for Energy-Efficiency in Building, Zurich, Switzerland, 2010, pp. 61–66.
  • [4] L. Sankar, S. R. Rajagopalan, S. Mohajer, and H. Poor, “Smart meter privacy: A theoretical framework,” IEEE Transactions on Smart Grid, vol. 4, no. 2, pp. 837–846, 2013.
  • [5] S. McLaughlin, P. McDaniel, and W. Aiello, “Protecting consumer privacy from electric load monitoring,” in Proceedings of the 18th ACM conference on computer and communications security (CCS ’11), Chicago, Illinois, USA, 2011, pp. 87–98.
  • [6] W. Yang, N. Li, Y. Qi, W. Qardaji, S. McLaughlin, and P. McDaniel, “Minimizing private data disclosures in the smart grid,” in Proceedings of the 19th ACM conference on computer and communications security (CCS ’12), Raleigh, North Carolina, USA, 2012, p. 415.
  • [7] O. Tan, J. Gomez-Vilardebo, and D. Gündüz, “Privacy-cost trade-offs in demand-side management with storage,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 6, pp. 1458–1469, 2017.
  • [8] J. X. Chin, T. Tinoco De Rubira, and G. Hug, “Privacy-protecting energy management unit through model-distribution predictive control,” IEEE Trans. on Smart Grid, vol. 8, no. 6, pp. 3084–3093, 2017.
  • [9] G. Giaconi, D. Gündüz, and H. V. Poor, “Smart meter privacy with renewable energy and an energy storage device,” IEEE Trans. on Information Forensics and Security, vol. 13, no. 1, pp. 129–142, 2018.
  • [10] D. Koo, Y. Shin, and J. Hur, “Privacy-preserving aggregation and authentication of multi-source smart meters in a smart grid system,” Applied Sciences, vol. 7, no. 10, Sept. 2017.
  • [11] M. A. Mustafa, S. Cleemput, A. Aly, and A. Abidin, “A secure and privacy-preserving protocol for smart metering operational data collection,” IEEE Trans. on Smart Grid, 2019, to be published.
  • [12] C. Efthymiou and G. Kalogridis, “Smart grid privacy via anonymization of smart metering data,” in 2010 First IEEE International Conference on Smart Grid Communications, Gaithersburg, MD, USA, Oct. 2010.
  • [13] C. Rottondi, G. Mauri, and G. Verticale, “A data pseudonymization protocol for smart grids,” in 2012 IEEE Online Conference on Green Communications (GreenCom), Sept. 2012.
  • [14] M. U. Hassan, M. H. Rehmani, R. Kotagiri, J. Zhang, and J. Chen, “Differential privacy for renewable energy resources based smart metering,” Journal of Parallel and Distributed Computing, vol. 131, Sept. 2019.
  • [15] D. Chen, S. Kalra, D. Irwin, P. Shenoy, and J. Albrecht, “Preventing occupancy detection from smart meters,” IEEE Transactions on Smart Grid, vol. 6, no. 5, pp. 2426–2434, 2015.
  • [16] K. Baker and K. Garifi, “Power signature obfuscation using flexible building loads,” in International Workshop on Non-Intrusive Load Monitoring (NILM), Austin, TX, USA, Mar. 2018.
  • [17] B. Zhou, W. Li, K. W. Chan, Y. Cao, Y. Kuang, X. Liu, and X. Wang, “Smart home energy management systems: Concept, configurations, and scheduling strategies,” Renewable and Sustainable Energy Reviews, vol. 61, pp. 30–40, 2016.
  • [18] J. X. Chin, G. Giaconi, T. Tinoco De Rubira, G. Hug, and D. Gündüz, “Considering time correlation in the estimation of privacy loss for consumers with smart meters,” in 2018 Power System Computation Conference (PSCC), Dublin, Ireland, June 2018.
  • [19] X. Jin, J. Maguire, and D. Christensen, “Model predictive control of heat pump water heaters for energy efficiency,” in 2014 ACEEE Summer Study on Energy Efficiency in Buildings, Pacific Grove, CA, Aug. 2014.
  • [20] X. Jin, K. Baker, D. Christensen, and S. Isley, “Foresee: A user-centric home energy management system for energy efficiency and demand response,” Applied Energy, vol. 205, pp. 1583–1595, Nov. 2017.
  • [21] Ecotope Inc., “Residential building stock assessment: Metering study,” Northwest Energy Efficiency Alliance, Tech. Rep. E14-283, 2014. [Online]. Available: